Secure: Does LuxSci Hold the Keys to Unlock your Secure Email Data?
For many different reasons, customers have asked us if we hold the keys to unlocking their email data. Why?
- Compliance / Emergencies: Customers with compliance needs, such as HIPAA, need to have emergency access to data … and that can mean appealing to LuxSci to access data to which the customer has otherwise lost access. Having the keys in this case, is very important.
- Privacy: On the other end of the spectrum, some customers want to do as much as possible to ensure that no one, not even LuxSci staff, can access their email data.
Both considerations are extremely valid in their own context. The answer is that “it depends”. For security and flexibility, LuxSci presents customers a variety of email encryption options that span the complete range from “completely unencrypted” to “LuxSci has no possible access“. It is up to the customer to choose where in that spectrum they fall … often balancing ease of use with security needs.
In the following sections, we will consider to what degree LuxSci can assist customers in accessing email (and WebAides) data, based on what encryption options the customer has chosen. We also discuss where and how your trust of LuxSci comes into play. Understanding if and when LuxSci can access encrypted data is different from understanding when messages are encrypted at rest.
Accessing Encrypted WebAides Data
LuxSci’s WebAides provide collaboration functionality and include such things as shared files, calendars, contacts, and more. The “File”, “Internal Blog” and “Password Library” WebAides allow encryption of the individual entries. The content of other WebAides, e.g. calendars, is stored in a secured database, but is not specifically encrypted.
If you choose to encrypt your WebAide entries (Password WebAide entries are always encrypted), then a PGP certificate is used. Separate certificates are used for each user and User Group — customers can upload their own personal PGP certificates, if they have them, or allow LuxSci to generate these for them. LuxSci holds the public and private keys for these PGP certificates; the customer hold the passwords needed to use the secret keys to open the entries.
In order to save new entries or open existing encrypted entries, the customer must enter their personal PGP passwords. These can be temporarily cached in secure cookies in the customer’s web browser, but they are not saved on LuxSci’s servers. The exception is if the customer explicitly requests that the passwords to their personal PGP keys be securely saved in LuxSci’s system … so that these passwords can be recovered in case of loss.
We call this “Escrowing” the password; such passwords are encrypted with a special encryption key that only senior LuxSci staff can unlock.
So, what does this mean?
- Escrowed Passwords: If you Escrow your PGP password with LuxSci, then we can technically unlock your encrypted WebAides entries; we can recover your PGP password for you if you lose it and can thus ensure access to encrypted data in case of emergency or loss.
- Not Escrowed: If you do not choose to have LuxSci save a copy of your password, then LuxSci staff cannot unlock any of your data. If you lose your PGP password, then your data is forever lost.
- Trust: As the WebAides encryption and decryption is performed on LuxSci’s servers, there is always a level of trust that (a) our system is not compromised, and (b) we are not capturing passwords “anyway”. There is no way to be 100% assured that LuxSci cannot ever access your encrypted WebAides data. This implicit trust is true of almost all online encryption services.
Regular Email Data
Regular email data is stored in email folders on the server in an unencrypted format. LuxSci has full access to these raw email messages. This applies to email for all users who do not have LuxSci’s SecureLine email encryption service.
Email Messages Sent or Received using TLS
SMTP TLS enables secure transmission of email messages between email servers. Messages transmitted using TLS are unencrypted once they arrive and before they are sent. So, unless some additional layer of encryption is used in addition to TLS (e.g., one of those described below) these messages are the same as “Regular Email Data” when stored on the server.
Email Messages Sent using SecureLine Escrow
SecureLine Escrow is a simple way to send a secure email message to anyone with an email address. The messages are encrypted and stored in a secure database. The recipient clicks through from a notification email to our secure web portal to access the message which is decrypted and presented to recipient.
SecureLine Escrow has two distinct modes of operation:
In the standard mode, the decryption password for every message is included only in the notification email sent to the recipient. Without the recipient’s notification email message, no one can decrypt these saved secure messages. If the recipient’s notification message is lost or deleted, then the saved secure email content is forever inaccessible.
Trust: There is a level of trust involved here – that LuxSci is indeed not saving these per-message encryption passwords anywhere.
Customers with Private Labeling can enable a feature called “Message Center” which allows the Escrow message pickup portal to act like an online secure email “INBOX” … each recipient can easily access all of his/her received secure messages once logged in. This is great for usability and convenience. However, when Message Center is enabled, LuxSci can technically access and recover the content of the saved encrypted messages.
Message Center is in this way more user friendly and less secure than the standard mode of Escrow. However, it also provides for a level of data recovery and emergency access not possible using the standard mode.
Email Message sent using PGP or S/MIME
SecureLine also supports public key email encryption using PGP and S/MIME. In these cases, the messages are always encrypted and are unlocked by the recipient upon entering the password to his/her PGP or S/MIME encryption key. There are several approaches to this, with varying levels of security:
Customers who save their PGP or S/MIME certificate and password with LuxSci can choose to have their received messages auto-decrypted and turned into normal email messages. These messages are then stored unencrypted in LuxSci and are very easily accessed from any email program and WebMail.
Clearly, these messages are accessible by LuxSci just like “normal email”.
PGP and S/MIME with Password Escrow
Customers who do not auto-decrypt messages may still have their PGP or S/MIME passwords Escrowed with LuxSci so that we can recover them if lost. In these cases, LuxSci technically has access to your keys and passwords and can thus recover or access encrypted message data saved on LuxSci’s servers.
No Password Escrow
Using PGP or S/MIME with your certificates saved in LuxSci but without your passwords saved, allows you to use LuxSci WebMail to send and open secure messages … you simply need to enter the password to your PGP and/or S/MIME certificate as needed.
In this scenario, encrypted messages cannot be opened by or recovered by LuxSci (as we have the certificate key, but not the password) and if you lose your password, then all encrypted messages are forever inaccessible.
Trust: This involves a level of trust that LuxSci is not capturing your passwords when you enter them in WebMail for temporary use.
PGP and S/MIME only from your Email Program
In this last scenario, your PGP or S/MIME certificates are stored only in your email program and NOT on LuxSci. All encryption and decryption takes place on your computer and not on LuxSci’s servers. As a result, LuxSci doesn’t have your keys and never sees your passwords and thus LuxSci can never access your encrypted email data — and no trust is required. You just need to setup your email clients to use S/MIME (for example) and start sending.
The downside of this scenario is that you can only easily communicate with others using S/MIME (for example) and you have to get their keys from them and send your public key to them. Also, you are responsible to ensuring that you do not lose your passwords. For more information, see The Case for Email Security.
This is by far the most secure thing you can do, but the least user friendly and most cumbersome.
What is usually done?
Customers with LuxSci SecureLine are configured for maximum usability to:
- Use SMTP TLS whenever possible,
- If SMTP TLS is not possible, then Standard Mode Escrow is used for secure messages.
Customers wishing to enhance security can:
- Disable SMTP TLS or restrict its use for particular recipients or recipient domains.
- Create or import PGP and/or S/MIME certificates for themselves or particular recipients.
- Choose to escrow (or not) their PGP and/or S/MIME passwords.
Many other security options are also available.
What about sent email?
Sent email messages are usually saved to your sent email folder by appending the message using IMAP without any special encryption. There are ways to ensure that sent email is encrypted, not saved at all, or only saved on your computer. For more details on these options, see: ensuring that your data is always encrypted at rest.